Handle malformed encrypted requests without panics

Signed-off-by: Sean Du <do4suki@gmail.com>
This commit is contained in:
2026-07-13 08:03:18 +08:00
parent aebbc4b889
commit b1dfc68a0f
7 changed files with 135 additions and 91 deletions
+4 -1
View File
@@ -33,7 +33,10 @@ func handshake(ctx *gin.Context) {
return
}
decryptedData := encrypt.RSADecrypt(data)
decryptedData, err := encrypt.RSADecrypt(data)
if ss.CheckErr(err) {
return
}
params, err := url.ParseQuery(string(decryptedData))
if ss.CheckErr(err) {
+4 -1
View File
@@ -25,7 +25,10 @@ func authKey(ctx *gin.Context) {
if ss.CheckErr(err) {
return
}
dummyTokenDecrypted := encrypt.RSADecrypt(dummyToken)
dummyTokenDecrypted, err := encrypt.RSADecrypt(dummyToken)
if ss.CheckErr(err) {
return
}
// aesKey := dummyTokenDecrypted[0:16]
// authData, err := base64.StdEncoding.DecodeString(reqData.Get("auth_data").String())
+13 -1
View File
@@ -41,6 +41,10 @@ func login(ctx *gin.Context) {
}
xmcKey := utils.XOR(clientToken, serverToken)
if len(xmcKey) < 16 {
ss.Abort(errors.New("invalid login token data"))
return
}
aesKey := xmcKey[0:16]
reqData := gjson.Parse(ctx.MustGet("request_data").(string))
@@ -48,7 +52,15 @@ func login(ctx *gin.Context) {
if ss.CheckErr(err) {
return
}
loginKey := encrypt.AESCBCDecrypt(key, aesKey)[16:]
decryptedLoginKey, err := encrypt.AESCBCDecrypt(key, aesKey)
if ss.CheckErr(err) {
return
}
if len(decryptedLoginKey) < 16 {
ss.Abort(errors.New("invalid login key"))
return
}
loginKey := decryptedLoginKey[16:]
// fmt.Println("loginKey", string(loginKey))
// password, err := base64.StdEncoding.DecodeString(reqData.Get("login_passwd").String())
+9 -1
View File
@@ -186,13 +186,21 @@ func (ss *Session) CheckErr(err error) bool {
}
func (ss *Session) Respond(resp any) {
if ss.done {
return
}
data, err := json.Marshal(resp)
if ss.CheckErr(err) {
return
}
ss.resp.setHeader("Content-Type", "application/json")
ss.resp.setHeader("X-Message-Sign", base64.StdEncoding.EncodeToString(encrypt.RSASignSHA1(data)))
signature, err := encrypt.RSASignSHA1(data)
if ss.CheckErr(err) {
return
}
ss.resp.setHeader("X-Message-Sign", base64.StdEncoding.EncodeToString(signature))
ss.resp.writeBody(http.StatusOK, string(data))
}